Sourcefire VRT Certified Rules Update
Date: 2005-07-22
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack.
The format of the file is:
sid - Message (rule group)
New rules: 3814 - WEB-CLIENT IE javaprxy.dll COM access (web-client.rules) 3815 - SMTP eXchange POP3 mail server overflow attempt (smtp.rules) 3816 - WEB-MISC BadBlue ext.dll buffer overflow attempt (web-misc.rules) 3817 - TFTP GET transfer mode overflow attempt (tftp.rules) 3818 - TFTP PUT transfer mode overflow attempt (tftp.rules) 3819 - WEB-CLIENT multipacket CHM file transfer start (web-client.rules) 3820 - WEB-CLIENT multipacket CHM file transfer attempt (web-client.rules) 3821 - WEB-CLIENT CHM file transfer attempt (web-client.rules) 3822 - WEB-MISC Real Player realtext long URI request (web-misc.rules) 3823 - WEB-MISC Real Player realtext file bad version buffer overflow attempt (web-misc.rules) 3824 - SMTP AUTH user overflow attempt (smtp.rules) 3825 - POLICY AOL Instant Messenger Message Send (policy.rules) 3826 - POLICY AOL Instant Messenger Message Receive (policy.rules) 3827 - WEB-PHP xmlrpc.php post attempt (web-php.rules) Updated rules: 686 - MS-SQL xp_reg* - registry access (sql.rules) 689 - MS-SQL/SMB xp_reg* registry access (sql.rules) 971 - WEB-IIS ISAPI .printer access (web-iis.rules) 1018 - WEB-IIS iisadmpwd attempt (web-iis.rules) 1126 - WEB-MISC AuthChangeUrl access (web-misc.rules) 1447 - MISC MS Terminal server request RDP (misc.rules) 1476 - WEB-CGI sdbsearch.cgi access (web-cgi.rules) 1483 - WEB-CGI ustorekeeper.pl access (web-cgi.rules) 1526 - WEB-MISC basilix sendmail.inc access (web-misc.rules) 1527 - WEB-MISC basilix mysql.class access (web-misc.rules) 1567 - WEB-IIS /exchange/root.asp attempt (web-iis.rules) 1730 - WEB-CGI ustorekeeper.pl directory traversal attempt (web-cgi.rules) 1777 - FTP EXPLOIT STAT * dos attempt (ftp.rules) 1778 - FTP EXPLOIT STAT ? dos attempt (ftp.rules) 1801 - WEB-IIS .asp HTTP header buffer overflow attempt (web-iis.rules) 1802 - WEB-IIS .asa HTTP header buffer overflow attempt (web-iis.rules) 1803 - WEB-IIS .cer HTTP header buffer overflow attempt (web-iis.rules) 1804 - WEB-IIS .cdx HTTP header buffer overflow attempt (web-iis.rules) 1810 - ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE (attack-responses.rules) 1970 - WEB-IIS MDAC Content-Type overflow attempt (web-iis.rules) 1986 - CHAT MSN outbound file transfer request (chat.rules) 1988 - CHAT MSN outbound file transfer accept (chat.rules) 1989 - CHAT MSN outbound file transfer rejected (chat.rules) 2054 - WEB-CGI enter_bug.cgi arbitrary command attempt (web-cgi.rules) 2055 - WEB-CGI enter_bug.cgi access (web-cgi.rules) 2126 - MISC Microsoft PPTP Start Control Request buffer overflow attempt (misc.rules) 2133 - WEB-IIS MS BizTalk server access (web-iis.rules) 2243 - WEB-MISC ndcgi.exe access (web-misc.rules) 2435 - WEB-CLIENT Microsoft emf metafile access (web-client.rules) 2436 - WEB-CLIENT Microsoft wmf metafile access (web-client.rules) 2670 - WEB-CGI pgpmail.pl access (web-cgi.rules) 3148 - WEB-CLIENT winhelp clsid attempt (web-client.rules) 3149 - WEB-CLIENT object type overflow attempt (web-client.rules) 3150 - WEB-IIS SQLXML content type overflow (web-iis.rules) 3192 - WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt (web-client.rules) 3199 - EXPLOIT WINS name query overflow attempt TCP (exploit.rules) 3200 - EXPLOIT WINS name query overflow attempt UDP (exploit.rules) 3238 - NETBIOS DCERPC IrotIsRunning attempt (netbios.rules) 3239 - NETBIOS DCERPC IrotIsRunning little endian attempt (netbios.rules) 3256 - NETBIOS SMB IrotIsRunning attempt (netbios.rules) 3257 - NETBIOS SMB IrotIsRunning little endian attempt (netbios.rules) 3258 - NETBIOS SMB IrotIsRunning unicode attempt (netbios.rules) 3259 - NETBIOS SMB IrotIsRunning unicode little endian attempt (netbios.rules) 3260 - NETBIOS SMB IrotIsRunning andx attempt (netbios.rules) 3261 - NETBIOS SMB IrotIsRunning little endian andx attempt (netbios.rules) 3262 - NETBIOS SMB IrotIsRunning unicode andx attempt (netbios.rules) 3263 - NETBIOS SMB IrotIsRunning unicode little endian andx attempt (netbios.rules) 3264 - NETBIOS SMB-DS IrotIsRunning attempt (netbios.rules) 3265 - NETBIOS SMB-DS IrotIsRunning little endian attempt (netbios.rules) 3266 - NETBIOS SMB-DS IrotIsRunning unicode attempt (netbios.rules) 3267 - NETBIOS SMB-DS IrotIsRunning unicode little endian attempt (netbios.rules) 3268 - NETBIOS SMB-DS IrotIsRunning andx attempt (netbios.rules) 3269 - NETBIOS SMB-DS IrotIsRunning little endian andx attempt (netbios.rules) 3270 - NETBIOS SMB-DS IrotIsRunning unicode andx attempt (netbios.rules) 3271 - NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt (netbios.rules) 3461 - SMTP Content-Type overflow attempt (smtp.rules) 3462 - SMTP Content-Encoding overflow attempt (smtp.rules) 3466 - WEB-MISC Authorization Basic overflow attempt (web-misc.rules) 3682 - SMTP spoofed MIME-Type auto-execution attempt (smtp.rules)
